Bug#324193: lm-sensors: Insecure tempfile usage in pwmconfig

Sat, 20 Aug 2005 13:38:48 -0700 

Package: lm-sensors
Version: 1:2.9.1-5
Severity: grave
Tags: security patch

lm-sensors's configuration script pwmconfig, which is used, generally as
root, to probe the fan controls and generate a new configuration file,
uses files under /tmp in an unsafe way which makes it possible to
conduct symlink attacks. The temporary filename used to create a
temporary configuration file is hardcoded to '/tmp/fancontrol'.


Thanks to Javier Fernández-Sanguino Peña <[EMAIL PROTECTED]> who first
reported me the bug.


--- pwmconfig.orig      2005-08-05 18:36:40.000000000 +0200
+++ pwmconfig   2005-08-05 18:37:47.000000000 +0200
@@ -465,9 +465,11 @@
 function SaveConfig {
        echo
        echo "Saving configuration to $FCCONFIG..."
-       egrep -v '(INTERVAL|FCTEMPS|FCFANS|MAXTEMP|MINTEMP|MINSTART|MINSTOP)' 
$FCCONFIG >/tmp/fancontrol
-       echo -e 
"INTERVAL=$INTERVAL\nFCTEMPS=$FCTEMPS\nFCFANS=$FCFANS\nMINTEMP=$MINTEMP\nMAXTEMP=$MAXTEMP\nMINSTART=$MINSTART\nMINSTOP=$MINSTOP"
 >>/tmp/fancontrol
-       mv /tmp/fancontrol $FCCONFIG
+       tmpfile=`tempfile` || { echo "$0: Cannot create temporary file" >&2; 
exit 1;  }
+       trap " [ -f \"$tmpfile\" ] && /bin/rm -f -- \"$tmpfile\"" 0 1 2 3 13 15
+       egrep -v '(INTERVAL|FCTEMPS|FCFANS|MAXTEMP|MINTEMP|MINSTART|MINSTOP)' 
$FCCONFIG >$tmpfile
+       echo -e 
"INTERVAL=$INTERVAL\nFCTEMPS=$FCTEMPS\nFCFANS=$FCFANS\nMINTEMP=$MINTEMP\nMAXTEMP=$MAXTEMP\nMINSTART=$MINSTART\nMINSTOP=$MINSTOP"
 >>$tmpfile
+       mv $tmpfile $FCCONFIG
        #check if file was written correctly
        echo 'Configuration saved'
 }

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to fr_FR.UTF-8)

Versions of packages lm-sensors depends on:
ii  debconf [debconf-2.0]         1.4.57     Debian configuration management sy
ii  libc6                         2.3.5-3    GNU C Library: Shared libraries an
ii  libsensors3                   1:2.9.1-5  library to read temperature/voltag
ii  makedev                       2.3.1-78   creates device files in /dev
ii  perl                          5.8.7-4    Larry Wall's Practical Extraction 
ii  sed                           4.1.4-2    The GNU sed stream editor
ii  sysvinit                      2.86.ds1-1 System-V like init
ii  ucf                           2.001      Update Configuration File: preserv

Versions of packages lm-sensors recommends:
ii  kernel-image-2.6.12 [kernel 10.00.Custom Linux kernel binary image for vers
ii  lm-sensors-2.4.27-2-k7 [lm- 1:2.9.1-5    kernel drivers to read temperature

-- debconf information excluded


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to